Slashdot Mirror

← Back to Stories (view on slashdot.org)

WordPress Plugs Bug that Led to Google Indexing Some User Passwords (zdnet.com)

Posted by msmash on from the privacy-woes dept.

A week after releasing v5.0 major update, WordPress has pushed the first security patch for its popular CMS service. ZDNet: Released hours ago, WordPress version 5.0.1 fixes seven security vulnerabilities (some of which allow site takeover) but also plugs a pretty serious privacy leak. The latter was found by the authors of the popular Yoast SEO plugin, who discovered that in some cases the activation screen for new users could end up being indexed by Google. With specially crafted Google searches, an attacker could find these pages and collect users' email addresses, and in some rare cases, default-generated passwords. This leak could have catastrophic consequences if the user has an admin role or if the user didn't change his default password, as is regularly advised.

32 comments

  1. What a turd this thing is ... by Anonymous Coward · · Score: 0

    I've never used it, but I sure as hell block all of their domains at the browser level.

    Hit a page, it's got dozens of references to one of the word press domains, and happily block them.

    I don't trust WP as a visitor, because I've heard endless stories about how it infects users ... and I wouldn't trust it on the back end because I've heard endless stories about how it's insecure.

    At this point I have to conclude that WP is a steaming pile of shit, and have no idea why it's still in use.

    I pretty much assume web sites that my blockers link to word press are not a site I'd *ever* trust to set cookies, have a login, or receive any personally identifiable information -- because either the admins are incompetent, or the software is defective, or both.

    1. Re:What a turd this thing is ... by BringsApples · · Score: 2

      WordPress is an open-source content management system licensed under GPLv2, which means that anyone can use or modify the WordPress software for free. A content management system is basically a tool that makes it easy to manage important aspects of your website – like content – without needing to know anything about programming.

      The end result is that WordPress makes building a website accessible to anyone – even people who aren’t developers.

      --
      Politics; n. : A religion whereby man is god.
    2. Re: What a turd this thing is ... by Anonymous Coward · · Score: 0

      Oh that would be literally the most amusing thing ever to hook up Wordpress at the same time as all these big pieces of software. I can hear the complaints right now

    3. Re: What a turd this thing is ... by Anonymous Coward · · Score: 0

      About 65% of sites run that shit now.

    4. Re: What a turd this thing is ... by Anonymous Coward · · Score: 0

      Easy to install blog software killed MySpace and GeoCities.

    5. Re:What a turd this thing is ... by Anonymous Coward · · Score: 1

      The end result is that WordPress makes building a website accessible to anyone â" even people who arenâ(TM)t developers.

      Not very well or securely, apparently.

    6. Re:What a turd this thing is ... by Anonymous Coward · · Score: 0

      WordPress is built on top of PHP, where security problems seem to be quite common.

      Not sure if that's because PHP is generally/inherently insecure, or just that most PHP developers don't know enough or care enough to make their apps secure.

      Either way, I avoid exposing anything written in PHP to the open internet.

      PHP is supposed to be easy to use, and that attracts a lot of casual developers.
      That's both a blessing and a curse... TANSTAAFL

    7. Re:What a turd this thing is ... by cascadingstylesheet · · Score: 1

      I've never used it, but I sure as hell block all of their domains at the browser level.

      Hit a page, it's got dozens of references to one of the word press domains, and happily block them.

      I don't trust WP as a visitor, because I've heard endless stories about how it infects users ... and I wouldn't trust it on the back end because I've heard endless stories about how it's insecure.

      At this point I have to conclude that WP is a steaming pile of shit, and have no idea why it's still in use.

      I pretty much assume web sites that my blockers link to word press are not a site I'd *ever* trust to set cookies, have a login, or receive any personally identifiable information -- because either the admins are incompetent, or the software is defective, or both.

      All popular CMSs - and even many unpopular CMSs - have had security issues. The open source ones tend to get fixed super quickly.

      Plenty of wonky toolkits, runtimes, etc. - used by oh so super smart devs on their (at a higher level) completely custom websites - have had security issues too.

      WP did have a rather distressing frequency in its early years, but has got much better and has been for quite some time now.

    8. Re:What a turd this thing is ... by Anonymous Coward · · Score: 0

      Except that exposing passwords is a REALLY REALLY STUPID and noob thing to do, and Wordpress is REALLY REALLY good at shit mistakes like this.

      So, people should avoid it if they want any form of a secure system

    9. Re:What a turd this thing is ... by ncc74656 · · Score: 1

      All popular CMSs - and even many unpopular CMSs - have had security issues. The open source ones tend to get fixed super quickly.

      In this case, WordPress 5.0 was only out for about a week before 5.0.1 was released, going by the dates I installed them.

      --
      20 January 2017: the End of an Error.
    10. Re:What a turd this thing is ... by stephanruby · · Score: 1

      All popular CMSs - and even many unpopular CMSs - have had security issues. The open source ones tend to get fixed super quickly.

      One problem with WordPress is that it allows plugins from pretty much anyone.

      So in that sense, it's not just a blog/CMS, it's a full-blown platform, and full-blown platforms are much more vulnerable than standalone pieces of software.

    11. Re: What a turd this thing is ... by Anonymous Coward · · Score: 0

      They weren't exposing passwords. Google was indexing pages that contained default password.

    12. Re:What a turd this thing is ... by squiggleslash · · Score: 2

      That's great and all but the fact you think you can block Wordpress sites by blocking "all of their domains at the browser level" suggests you have no idea what Wordpress is.

      It's a CMS. One of the most popular out there. While there is a Wordpress.com that offers hosted Wordpress services, you don't have to use it, you can install it on your home server, VPS, AWS, whatever you have that runs PHP.

      It doesn't do terrible things to users, it does whatever you want it to. You can customize the entire system. The only major issue with it is that it's written in PHP which means that it has bugs, many of which are security bugs. If it was written in C# or Java it wouldn't have anything like as many issues, although it might be less popular.

      --
      You are not alone. This is not normal. None of this is normal.
    13. Re: What a turd this thing is ... by Anonymous Coward · · Score: 0

      And the difference is?

    14. Re:What a turd this thing is ... by dgatwood · · Score: 1

      Not sure if that's because PHP is generally/inherently insecure, or just that most PHP developers don't know enough or care enough to make their apps secure.

      Neither. It's mostly momentum. The problem is, critical software like MySQL was written without security in mind, and had poor support for query construction, leading to everyone rolling their own functionality, 100% of which contained security bugs, give or take some very small epsilon.

      By the time they finally sorted out the security abomination that was the MySQL C API and replaced it with MySQLi, the old API was so pervasive that there are still sites running old, unsupported versions of PHP so that they can support the APIs, several years after they were removed in PHP 7. And I can pretty much guarantee that many of the "updated" versions just found ways to abuse the MySQLi API rather than doing things right.

      So the newer, more modern API has been around for 13 years at this point, and vestiges of the old API still aren't 100% cleaned up, mostly because the PHP community started out neck-deep in crap code, and they're still shoveling their way out.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  2. Why does anyone use that bag of shit by Anonymous Coward · · Score: 0

    Every other week it's a security hole.

    Fuck anything written in PHP - it's too much of a risk and there are too many idiots making mistakes (and non-idiots as well).

    It's quick and dirty for a reason.

    1. Re:Why does anyone use that bag of shit by JustAnotherOldGuy · · Score: 1

      Fuck anything written in PHP - it's too much of a risk and there are too many idiots making mistakes (and non-idiots as well).

      Thank goodness no one could ever write insecure code in Java, C++, Ruby, Python, ASP, Go, Rust, Haskell, Swift, Kotlin, JavaScript, C#, Elixir, Scala, Objective-C, TypeScript....

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:Why does anyone use that bag of shit by squiggleslash · · Score: 1

      Fuck 1950s cars with shiny chrome inside that blinds you when driving, no safety cage, crumple zones, seatbelts...

      Thank god no one could could ever get killed in a car crash if they drive a modern Tesla, Volvo, Dodge Caravan...

      --
      You are not alone. This is not normal. None of this is normal.
  3. This is why WordPress is secure. by Qbertino · · Score: 1, Informative

    No joke.

    WP is a messy blob of spaghetti code, albeit one with 160 million active installs. That means a bug like this that would go undetected for months on any other System comes up with a fix two days after its release. And that in turn makes for some pretty relyable security.

    --
    We suffer more in our imagination than in reality. - Seneca
  4. Sorta offtopic but... by Oswald+McWeany · · Score: 1, Offtopic

    I misread the title as "WordPress Plugs Butt" - chuckled to myself when realized my brain made a mistake and thought I'd share.

    --
    "That's the way to do it" - Punch
    1. Re:Sorta offtopic but... by Anonymous Coward · · Score: 0

      Weird.. I had to reread it three times because I read and re-read the same thing.

  5. Use protection, kids! by JustAnotherOldGuy · · Score: 3, Interesting

    "With specially crafted Google searches, an attacker could find these pages and collect users' email addresses, and in some rare cases, default-generated passwords."

    Another fabulous win for WordPress. (sigh)

    Seriously, if you run WordPress, at least install the WordFence plugin. It's free and prevents a lot of malicious behavior from occurring. I don't know about this specific exploit, but it has stopped a ton of bot-style attacks on the few WP sites I have some responsibility for.

    Install WordFence and look at the logs after a day or two- you'll be astounded (and horrified) at the level of malicious activity it catches and stops.

    (And in case you're wondering, no, I have no connection or financial interest whatsoever in WordFence, I'm just a fan).
     

    --
    Just cruising through this digital world at 33 1/3 rpm...
  6. Barebones CMS is better in every way by Anonymous Coward · · Score: 1

    Barebones CMS is secure in ways that WordPress will never be, it's out-of-the-box performance blows away WordPress no matter how you might configure WordPress, Barebones consumes far fewer system resources than WordPress (100KB instead of 64MB RAM per user), and supplies everything you could ever need in terms of content authoring and content management. Barebones CMS is also a fraction of the size of WordPress, Joomla!, and Drupal and offers a sane open source license (your choice of MIT or LGPL).

    WordPress as a CMS is a joke. It's a giant mess of code that barely functions and kills server performance. Server operators like GoDaddy hate WordPress because of the unnecessarily heavy load it places on their infrastructure. Security vulnerabilities and exploits are all too common in the WP universe.

    1. Re:Barebones CMS is better in every way by Anonymous Coward · · Score: 0

      If GoDaddy hates it so much then why have they purchased so many WordPress companies?
      If WordPress is so slow then how come there are so many giant sites with millions of visitors using it?
      It all comes down to the Web Master and how they implement the software. Anything can be dangerous in unskilled hands.
      This security hole was patched within days of being discovered. That's a lot better than the bazillion holes in Java that are now older than many of you have even been developing.
      If you believe any one software tool is 100% secure than you obviously know very little. There are "flaws" in everything, it's what makes this fun.
      So exactly how many people were affected by this particular security flaw? Answer; less than 1.
      With that being said, WordPress 5.x does kind of suck.

  7. Never store passwords by Darinbob · · Score: 2

    This just seems like novice mistakes. Passwords should NEVER be stored. There is never a need to store a password at any time. If it's not stored then there is minimal chance of exposing the password. I think the newbies to programming don't know this, and they think that they have to compare the password typed in to a stored password, which is wrong. The first step is to make a secure hash of the password, and the second step is to clear the password from memory. Of course that's not all you need to do, but if you don't use those two steps then it means the implementer doesn't understand security. If a password is ever in a database then someone has screwed up.

    1. Re:Never store passwords by Anonymous Coward · · Score: 0

      Please, RTFS. Key phrases: "activation screen", "default-generated passwords". How else do you expect WP to send the newly-generated password to the user?

  8. you're wrong, RTFA by Anonymous Coward · · Score: 1

    MIME type verification is standard verification for almost any file upload system system these days.

    We're talking 10+ years it took for those 160 zealots to even realize that MIME types were a thing and they can be used to spoof file uploads (and yes you can spoof MIME type afaik but that's not the point)

    The other vuln was in a 3rd party plugin, totally unrelated to Wordpress core. The 3rd party even admits in the article *they* found it, not the 160 million zealots you describe above.

    Yep. Wordpress. Totally Secure.

    1. Re:you're wrong, RTFA by Anonymous Coward · · Score: 0

      I think you are missing the point. He or she isn't saying WordPress is secure; but rather that the only reason WordPress has anything remotely close to security is because the usage-base and eyeballs help the detection of the bugs.

  9. Security issues since version 3.7 by Anonymous Coward · · Score: 0

    What is even more pathetic is that this security release fixes all versions from 3.7 to 5.0. 3.7 was released back in October, 2013.